[SecurityRatty] tag: billion

Even the Rich and Famous pay the price for being Dishonest and Unethical

Sun, 29 Jun 2008 12:05:00 +0000

All of our courses - in the U.S. and over seas, begin with the same message - ETHICS is the keystone of our profession and our success. It's a shame that famed litigator - Richard "Dickie" Scruggs forgot that lesson.

In yesterday's Washington Post, the headline reads; "Famed Litigator Gets 5-Year Term for Conspiracy to bribe Judge". For those who are not familiar with him, Scruggs became one of the wealthiest and most famous lawyers in the country by taking on tobacco, insurance and asbestos companies.

What did he do? Well, for starters (and what they were able to prove), he attempted to bribe Lafayette County Circuit Court Judge Henry Lackey by offering him $50,000.00. U.S. District Judge Neal Biggers Jr., called Scruggs' conduct "reprehensible" and told him that he picked the wrong Judge to bribe. In addition to the 5 year jail term, he was fined $250,000.00 and lost his law license.

You really got to love it when Justice is rightfully served. Unfortunately, it makes me wonder how many more sleazy lawyers around the country and unethical Judges are not getting reported and prosecuted. It is a little too hard to believe that Scruggs is the only dirt-bag in the legal profession. We welcome the message it sends out; "nobody is above the law".

Like most, if not all common criminals, Richerd Scruggs became greedy. In 1990, Scruggs became famous for suing tobacco companies and winning lawsuits that resulted in a $206 BILLION dollar settlement. If his take of that was just 10%, he walked away with a cool $20.6 Billion dollars. A film was even made about the case - "The Insider" starred Al Pacino and Russell Crowe.

A decade later he is trying to bribe a Judge with $50,000? I would say it was a combination of greed and power going to his head. Maybe that is why the "Post" reported that he nearly fainted and swayed from side to side when the Judge scolded him. He had to sit down before the sentence was read out. He must have believed that he was untouchable.

It's just a shame that he wasn't touched with a heavier sentence. A twenty year sentence would have sent out an even more powerful message. Still and all, the idea of wearing a prison jumpsuit and eating balogna sandwiches is probably like a life sentence to someone who believed themselves to be above the law.

The article claims that many high profile friends petitioned Judge Biggers for leniency when sentencing Scruggs. He's lucky I am not the warden at his jail. I think he would be a perfect candidate for the toilet cleaning squad.

Bill Gates retires, Symbian goes open source

Thu, 26 Jun 2008 20:00:00 +0000

Microsoft, usually a source of software patch updates and claims about Vista adoption rates, produced a bit of sentimental news this week as Bill Gates stepped away from his daily corporate duties on Friday. Gates, who founded Microsoft at age 19, will now devote his time to philanthropic work. Meanwhile, the U.S. Senate discussed the issue of laptop searches and seizures at the nation's borders and also decided to delay a vote on a controversial spy bill. While on the topic of controversial plans, an ISP (Internet service provider) suspended a program that would have served up ads based on a user's Internet history after the move sparked privacy concerns. Yahoo, a perennial name in this space, defended its Google ad deal on Wednesday and the next day launched yet another reorganization. Finally, Oracle wants at least US$1 billion from SAP due to infractions supposedly committed by a subsidiary.

Oracle: Damages in SAP-TN suit could top $1B

Thu, 26 Jun 2008 09:00:00 +0000

Oracle's attorneys are saying its damages in the SAP-TomorrowNow lawsuit could be more than $1 billion.

White House Refused to Open Pollutants E-Mail

Thu, 26 Jun 2008 08:54:58 +0000

This is by far one of the more asinine things I have read in a while and speaks volumes to lunacy in the White House. The WH refused to open an email that was sent by the EPA because they disagreed with the conclusion that greenhouse gases are pollutants.

So, they played three monkeys and said, “la la la, I can’t see it. la la la” (not an exact quote) But, that’s not where the absurdity ends. The EPA could have sent a printed copy and that would have been the end of it.

Nope.

Instead they rewrote the conclusions to make more palatable for the dunking bird-set. Email has always been a best effort tool that has morphed into business critical function over the years. But, to say they wouldn’t open an email…wow. Remember folks, if you are a Republican or Democrat be sure to VOTE. You have a responsibility.

From NY Times:

Over the past five days, the officials said, the White House successfully put pressure on the E.P.A. to eliminate large sections of the original analysis that supported regulation, including a finding that tough regulation of motor vehicle emissions could produce $500 billion to $2 trillion in economic benefits over the next 32 years. The officials spoke on condition of anonymity because they were not authorized to discuss the matter.

Both documents, as prepared by the E.P.A., “showed that the Clean Air Act can work for certain sectors of the economy, to reduce greenhouse gases,” one of the senior E.P.A. officials said. “That’s not what the administration wants to show. They want to show that the Clean Air Act can’t work.”

November can’t come soon enough.

Article Link

Googles Culture of Yes

Mon, 23 Jun 2008 11:21:46 +0000

Recently, Eric Schmidt gave quite an inspirational speech at the Economic Club of Washington. It was so interesting; I wanted to share this with you in case you missed it. The entire speech is rather long but here’s the section on Google’s Culture of Yes.

After hearing his speech, I thought about how Eric and Google are impacting the digital revolution after so many others have tried unsuccessfully over the last 25 years. He has led the company through a period of explosive growth from $1 Billion to over $16 Billion in the past year, while keeping the young, fun, irreverent culture intact. Considering the meteoric rise of Google’s popularity in a reasonably short period of time, to the point that the company name is now actually a verb!

The point that I found enlightening was his summary, which you can scroll to at the 26 - 30 minutes timeframe in the presentation, where he shared an interesting glimpse into the culture of Google. “Creating more luck, giving yourself more at bats, being out there… to think big and inspire a culture of YES.” The culture of Yes inspires people to aim higher and be ambitious in their reach and goals.

That is a very interesting point in which I really believe. If there is one thing that all companies and especially small companies struggle with because of natural resource constraints, it is building a strong culture of Yes. We have tried to do this from the very inception of ScienceLogic, but it continues to get harder and harder the larger the business grows. To consistently inspire a principle of Yes, without agreeing to every idea that flows across my desk is amongst the most challenging parts of our daily jobs. However if I could create the perfect scenario, we would intuitively strive for a principle of Yes and inspire our associates and our ecosystem of partners and customers to use this simple concept to confidently go forward.

Eric says, “It is possible to build a culture around innovation. It is possible to build a culture around leadership, and it is possible to build a culture around optimism.” Google is a great example, but by no means the only example. I agree with Eric’s summary and hope to lead ScienceLogic according to these very basic but essential principles. “Let’s be revolutionaries. Let’s take this opportunity, this huge change that is before us with technology and let’s change our businesses, our communication and the way we interact on some new principles that reflect the very best in America.”

ShareThis

Links List 6.13.08

Fri, 13 Jun 2008 09:01:36 +0000

Nothing to do with monitoring, but completely funny. I have not been following the Broadcom ex-CEO Henry Nicholas’ exploits, and now I think I should have been. Not only did this bad boy add a fictional $2.2 billion worth of revenue to his company’s bottom line, a second indictment also charges him with a slew of stuff including “spiking customer and employee drinks with ecstasy and other drug-related charges”. The best one: during a trip to Vegas on his private plane, Nicholas and others smoked so much pot that the pilot had to put on an oxygen mask.

Sevcik and Wetzel have a consistently interesting column on Application Performance Management at NetworkWorld. This week, they unveiled the results of a benchmarking survey that tells them mid-sized enterprises have it harder when it comes to deploying such solutions.

We agree; it’s why we exist. Mid-sized enterprises have the same IT problems but not nearly the same amount of resources as the really big guys to throw against solving them.

VMWare’s acquisition of B-hive continues to generate buzz for performance management and virtualization. I love this quote from the CEO of Aternity, “The next big frontier is the ability to transform huge amounts of data into actionable business intelligence that correlates across platforms.” Um, we’re already doing this. What would be the purpose of collecting hundreds of millions of data points if you couldn’t actually present the data in a meaningful way? Maybe his comment was taken out of context and it’s more about the fact that it’s often difficult to get consistent and accurate info on virtualization resource utilization stats in particular. That we totally agree with. Another take on the B-hive acquisition: VMTN blog gives a quick overview of what it means for infrastructure groups and virtual environments.

ShareThis

Sometimes, It Takes a Thief to Catch a Thief

Mon, 09 Jun 2008 13:00:00 +0000

News from Portfolio.com

Also on Portfolio

Time for Tech to Throw Everything Into Energy

Hollywood Frets Over Corruption Crackdown

McCaw's Back to Remake the Wireless Landscape

Subscribe to Portfolio magazine

Apollo Robbins won't say whether he's ever stolen anything in his life, but it's clear he could if he wanted to. Having grown up in Missouri with three half-brothers who were all involved in various criminal activities (one of them is in the witness protection program after testifying against former colleagues of his), the 34-year-old Robbins was indoctrinated at an early age into the finer aspects of pickpocketing and con games.

He eventually developed those skills into a successful career as a sleight-of-hand artist and performer in Las Vegas. His latest act, though, has him starring as a corporate security consultant. In this role, it is less his dexterous hands that appeals to his clients than his mastery of all aspects of criminal cons, grifts, and social-engineering ploys.

"When you're trying to steal something, you find the weakest link and work that," Robbins says. "Nowadays, as technology gets better and security systems get harder to break through, the weakest link in any system is the human running it."

Robbins founded his consulting operation, Whizmob Inc. (the name comes from the street term for a team of pickpockets working together), two years ago while still performing full-time.

After doing a show a few years back in which he pickpocketed Secret Service agents accompanying former president Jimmy Carter, the resulting publicity led several law-enforcement agencies and other groups to contact him about his techniques.

"At first, I'd refer them to security people I knew," says Robbins. "Then I realized that instead of being a referral service, I could capitalize on this."

It was a good time to get in on the act. Information security consulting, which barely existed in the mid '90s, has become an estimated $10 billion to $12 billion business as the need to protect sensitive information stored on computers and servers has become a more central concern.

Today, Robbins counts the N.F.L., TNT, and several Fortune 500 companies among his customers. He recently advised the N.F.L. on information security protection at this year's Super Bowl in Phoenix to combat the expected flow of thieves and con artists lured by all the deep-pocketed spectators coming to town.

His work included getting a major hotel to upgrade its WiFi security so that fake access programs known as Trojans couldn't extract valuable data and password information from unsuspecting guests' computers. And at the stadium where the game was held, Robbins and his team identified areas where pickpockets would most likely operate—specifically, places with lots of traffic where bumping into people would be customary, and easy access to exits for escape purposes.

Besides the shadier elements of Robbins' childhood, his father, a blind minister, instilled in him a strong sense of morality. "It was like living in two worlds," Robbins says.

In many ways, he still is living in two worlds, since he keeps in regular contact with some professional thieves he knows in order to stay abreast of the latest cons. (While he doesn't pay them, Robbins says that "a lot of these guys are really good at what they do but they can't exactly discuss it with a lot of people.") But increasingly, Robbins is spending time in the more staid settings of the corporations that hire him to vet their security systems.

"It's a good time to be in the business," he says.

Your Router Crashing? Could Be XP SP3

Sat, 07 Jun 2008 22:49:38 +0000

Here’s an interesting article. Apparently people have been noticing that their broadband modems have been crashing. It turns out that the culprit could very well be Windows XP with SP3.

From APCMAG:

Broadband modem/router maker Billion says XP SP3 has been causing its BiPAC 5200-series routers to go into a constant crash and reboot cycle.

The company has produced firmware upgrades that solve the problem.

Although Windows XP SP3 has been available for manual download from Microsoft since May 6, it has just hit Windows Update as an automatic upgrade, which will cause unexpected problems for owners of “unpatched” Billion BiPAC 5200 routers, and possibly other brands or models of router.

The affected BiPAC 5200 firmware versions are 2.9.8.x and 2.11.0.x~2.11.33.x.

Reminds me of the problem that Vista caused on wireless networks when it first came out.

Article Link

1st Source Bank reissues all debit cards in response to breach

Thu, 05 Jun 2008 05:09:56 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
1st Source Bank

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Debit card information including Track 2 data contained on magnetic stripes and some PIN numbers

Breach Description:
"South Bend, Ind.-based 1st Source Bank is reissuing its entire portfolio of debit cards after a hacker or hackers broke into a bank server containing debit card data. No fraud has been discovered as a result of the intrusion"

Reference URL:
Digital Transactions News
WSBT TV News
South Bend Tribune
The Journal Gazette

Report Credit:
WSBT TV News

Response:
From the online sources cited above:

South Bend, Ind.-based 1st Source Bank is reissuing its entire portfolio of debit cards after a hacker or hackers broke into a bank server containing debit card data.
[Evan] I wonder how many debit cards are in its "entire portfolio". I'm guessing that the number is in the tens of thousands.

a hacker broke into the system from the outside and compromised the system.

No fraud has been discovered as a result of the intrusion

The $4.5-billion-asset bank with 79 branches in northern Indiana and southern Michigan began alerting customers last month after an outside monitoring service it uses noticed on May 12 an unusual flow of data from a bank server containing debit card data, says James Seitz, senior vice president of consumer and electronic banking. "We immediately saw that and shut it down," says Seitz.
[Evan] It appears as though the bank employs a managed security services provider for intrusion detection monitoring and alerting (and possibly more). Using a third-party provider as a part of information security strategy is probably a good idea for organizations that do not have, cannot afford, or do not want to build in-house expertise. Managing third-party service agreements can sometimes be quite a challenge.

The bank notified law-enforcement authorities and hired outside forensic firms to analyze the breach.

"The server that holds our debit card information they were in there and they transferred information out. But we can't really tell if it was 10, 20, or 30 percent of our card holders," said Seitz.

They did, however, get Track 2 data contained on magnetic stripes, including account numbers, according to Seitz, as well as PINs in at least some cases. "They got some PIN numbers, but a very small percentage compared to the debit card base that we have," says Seitz.

Exactly how the hackers tapped the server isn’t publicly known.
[Evan] This will be determined as part of the forensic investigation, but publicly this may never be known. We can only speculate. The information that was compromised is very sensitive and should have never been accessible from the "outside". Who knows if the server was actually compromised directly or through another avenue of attack. See, I am speculating. Thankfully, the bank had detective controls in place.

1st Source Bank is sending out letters reminding their customers to check their recent bank account activity.
[Evan] As people should anyway.

"Out of an overabundance of care, we’re reissuing new debit cards to all our customers"
[Evan] We could argue "overabundance".

the bank is reissuing all cards, which are MasterCard-branded, as a precaution

1st Source also is offering customers free credit-report monitoring for a year.

He adds that he couldn’t comment about the state of the bank’s compliance with the Payment Card Industry data-security standard, or PCI.
[Evan] The Visa U.S.A. Cardholder Information Security Program (CISP) "List of Compliant Service Providers - All" is here (a little different, but good information nonetheless).

"We are working with law enforcement to find these bad guys, and we didn't want to tip them off," said James Seitz
[Evan] Chances are that the "bad guys" already know what the have.

"Our number one priority is our customers. We shut everything down right away and hired the best people we could get our hands on to see what happened here and to make sure it doesn't happen again," said Seitz.

1st Source began working with law enforcement and called in a forensic computer specialist team from the Washington, D.C., area to shut down the breach immediately and to help determine who was behind it.
[Evan] 1st Source should be commended for not hesitating to bring in outside help.

It has taken a while to get all the information out about the breach, Seitz said, since the bank had to spend time going through all of its laptops and computer systems.

"You've got to understand what you have," he said.
[Evan] A high-priority task for information security governance is to understand what you have. During an incident response is not a good time to figure out what you have.

Though the breach is something rather new for 1st Source, Seitz said these types of breaches seem to be hitting businesses in general more and more this day and age.

"Certainly, it's never happened to us before," Seitz said. "But it's becoming more prevalent. Daily, banks are going through this."
[Evan] Breaches are as prevalent or more prevalent than they have ever been. I agree with Mr. Seitz. Recognizing this fact, what excuses do organizations have for not investing in and properly managing information security programs? I am not saying that 1st Source does not, I am writing in general terms.

Bank officials have yet to tally the cost of mailings to customers, creating new debit cards, consultants’ fees, paying for identity theft protection and employee overtime related to the security breach. Seitz called it a "considerable cost."

"Actually, our customers have been very understanding," he said. "Obviously, this is something that puts a little stress on that relationship."

Customer Reactions:
"My main worry is that my money is going to be gone tomorrow when I got to my account," said Jeremy Reinke, a 1st Source Bank customer.

"Is my money still in my account, and can they correct this so it doesn't happen again?" asked Chris Stump, another customer who hadn't heard about the May 12 security breach. "I guess in some ways I would have liked to know by now."

Commentary:
Judging from the customer comments I have read, people are concerned about the breach, but not angry with 1st Source Bank. I think this is because they perceive the bank's response to be open and genuine. The bank did employ proper controls to identify this breach early on and provided notice to customers in a timely manner. The fact that the bank took additional steps like re-issuing cards and providing credit monitoring only adds to the favorable perception.

I am still interested in knowing more detail around how an unauthorized outside entity was able to access this sensitive information in the first place.

Past Breaches:
Unknown

The War on Photography

Thu, 05 Jun 2008 02:44:54 +0000

What is it with photographers these days? Are they really all terrorists, or does everyone just think they are?

Since 9/11, there has been an increasing war on photography. Photographers have been harrassed, questioned, detained, arrested or worse, and declared to be unwelcome. We've been repeatedly told to watch out for photographers, especially suspicious ones. Clearly any terrorist is going to first photograph his target, so vigilance is required.

Except that it's nonsense. The 9/11 terrorists didn't photograph anything. Nor did the London transport bombers, the Madrid subway bombers, or the liquid bombers arrested in 2006. Timothy McVeigh didn't photograph the Oklahoma City Federal Building. The Unabomber didn't photograph anything; neither did shoe-bomber Richard Reid. Photographs aren't being found amongst the papers of Palestinian suicide bombers. The IRA wasn't known for its photography. Even those manufactured terrorist plots that the US government likes to talk about -- the Ft. Dix terrorists, the JFK airport bombers, the Miami 7, the Lackawanna 6 -- no photography.

Given that real terrorists, and even wannabe terrorists, don't seem to photograph anything, why is it such pervasive conventional wisdom that terrorists photograph their targets? Why are our fears so great that we have no choice but to be suspicious of any photographer?

Because it's a movie-plot threat.

A movie-plot threat is a specific threat, vivid in our minds like the plot of a movie. You remember them from the months after the 9/11 attacks: anthrax spread from crop dusters, a contaminated milk supply, terrorist scuba divers armed with almanacs. Our imaginations run wild with detailed and specific threats, from the news, and from actual movies and television shows. These movie plots resonate in our minds and in the minds of others we talk to. And many of us get scared.

Terrorists taking pictures is a quintessential detail in any good movie. Of course it makes sense that terrorists will take pictures of their targets. They have to do reconnaissance, don't they? We need 45 minutes of television action before the actual terrorist attack -- 90 minutes if it's a movie -- and a photography scene is just perfect. It's our movie-plot terrorists that are photographers, even if the real-world ones are not.

The problem with movie-plot security is it only works if we guess the plot correctly. If we spend a zillion dollars defending Wimbledon and terrorists blow up a different sporting event, that's money wasted. If we post guards all over the Underground and terrorists bomb a crowded shopping area, that's also a waste. If we teach everyone to be alert for photographers, and terrorists don't take photographs, we've wasted money and effort, and taught people to fear something they shouldn't.

And even if terrorists did photograph their targets, the math doesn't make sense. Billions of photographs are taken by honest people every year, 50 billion by amateurs alone in the US And the national monuments you imagine terrorists taking photographs of are the same ones tourists like to take pictures of. If you see someone taking one of those photographs, the odds are infinitesimal that he's a terrorist.

Of course, it's far easier to explain the problem than it is to fix it. Because we're a species of storytellers, we find movie-plot threats uniquely compelling. A single vivid scenario will do more to convince people that photographers might be terrorists than all the data I can muster to demonstrate that they're not.

Fear aside, there aren't many legal restrictions on what you can photograph from a public place that's already in public view. If you're harassed, it's almost certainly a law enforcement official, public or private, acting way beyond his authority. There's nothing in any post-9/11 law that restricts your right to photograph.

This is worth fighting. Search "photographer rights" on Google and download one of the several wallet documents that can help you if you get harassed; I found one for the UK, US, and Australia. Don't cede your right to photograph in public. Don't propagate the terrorist photographer story. Remind them that prohibiting photography was something we used to ridicule about the USSR. Eventually sanity will be restored, but it may take a while.

This essay originally appeared in The Guardian.